The top 8 security threats of 2013

The past year has seen its share of newly emerging or persistent threats that security and IT executives need to be aware of and in many cases defend against.

The past year has seen its share of newly emerging or persistent threats that security and IT executives need to be aware of and in many cases defend against.

[Cryptolocker lowers ransom demands as Bitcoin price surges]

We asked security executives and industry analysts to weigh in on what they think were the biggest threats in 2013, and why organizations should care about these possible intrusions. Here are some of the threats they cited.

More Sophisticated DDoS

Attacks continue to become more sophisticated, and that includes advancements in increasing the bandwidth of distributed denial-of-service (DDoS) attacks. The trend has accelerated in recent months, says John South, CSO at Heartland Payment Systems, a large payments processor.

"Prior DDoS attacks leveraged the many thousands of personal computers that a typical botnet herd might utilize for the their attack engine," South says. "However, the huge multiplier in the newer efforts were botnets that consisted of compromised server-class equipment with much more capacity and horsepower."

Where a typical DDoS attack in 2012 might range into 3 or 4 Gbps, South says, the new attacks have bursts of more than 100 Gbps. "Many security professionals designed their DDoS strategies around the lower numbers, thinking that would be sufficient to stem a DDoS threat," he says. "Many institutions have had to rearchitect their network security strategies under the bandwidths that the newer threats pose."

This year saw the continued rise of DoS as a cyber weapon, says Mark Lobel, principal in PricewaterhouseCoopers' advisory practice focusing on security. "The bad actors don't necessarily have to steal your product or service," Lobel says. "They just have to make sure you can't deliver that product or service to your customers, which is a much lower bar than getting in, finding the data and getting away cleanly."

Attack of the Botnets

Associated with DDoS attacks is the "lethality" of the botnets that have been spreading through systems, South says.

"Using phishing techniques that have gained a much higher level of sophistication, they have been able to drop malware onto large numbers of personal and server-class equipment," South says.

[Android Trojans gain botnet distribution, new code]

Whereas the phishing attempts several years ago might have been replete with spelling and grammar errors, "the phishermen today have upped their social engineering skills and coupled these with much more credible messaging," South says. "Their success in compromising computer systems, and in turn accessing personal identity, credit card and bank account data, is illustrated in the increasing number of account takeovers that were seen in 2013."

Although phishing attacks have been around for years, they remain "a persistent, annoying but too-often effective approach [for] gaining a foothold into organizations," says Richard Greenberg, information security officer at Los Angeles County Public Health.

[Insider threats and how they can be mitigated]

"Security awareness training programs can make a dent into this problem, but people who are not security practitioners cannot really be expected to be the defenders of the kingdom," Greenberg says.

Companies can try for modest gains in awareness, "but we are kidding ourselves if we think every employee will never click on a link or attachment in their email," Greenberg says. "It only takes one successful click to inject a rootkit, keylogger [or] trojan, allowing a hacker illegal entry into your environment. Clearly this is a problem to keep in our sites."

Ignored Insider Threats

Attacks from within organizations are nothing new. But the number of threats from these seemingly trusted parties is on the rise, says Michael Cox, president of SoCal Privacy Consultants.

"Many Web-facing organizations are strictly focused on external threats, which include espionage agents, saboteurs, and cyber criminals," Cox says. "However, businesses are constantly being surprised by breaches caused by workforce members and third-party services providers."

Since these trusted parties have the greatest access to sensitive information, the average cost of breaches caused by trusted parties is greater than those caused by external threats, Cox says. "The false sense of security organizations have with trusted parties has allowed breaches by these actors to grow more rapidly than those by external threats."

For employees, the primary causes of breaches are inadequate awareness and training programs, roles-based access controls and activity monitoring, Cox says. For third-party service providers, inadequate due diligence and monitoring programs are the primary causes.

Insecure Applications

Another threat that was prevalent in 2013 and will be in 2014 is the production and distribution of insecure applications.

"The proliferation of e-commerce and mobile applications has enabled many companies to have greater connectivity with their clients," South says. But we have yet to solve the resulting problems that have been present for well over the past 10 years: injection and cross-site scripting threats."

Security professionals continue to produce code that's easily compromised, South says, given the level of sophistication of the attackers. "With the emergence of NOSql databases and their associated injection attacks, the ability to compromise Internet-facing applications may well continue to increase rather than decrease," he says.

[Study finds zero-day vulnerabilities abound in popular software]

Concerns about network security "have rightfully been overtaken by concerns about the applications and services running thereon," says Jason Taule, chief security and privacy officer of FEi Systems, a healthcare technology integrator. "Both internal development teams as well as the commercial software market are paying increased attention to the demand for secure code."

The security of an application and the credentials one uses to gain access are only as strong as the process by which a user's identity was vetted to begin with, Taule says. "Requiring that a user insert a PIV card into a reader, offer up a biometric, and enter a password does nothing if these credentials weren't provided to the correct individual," he says.

[7 essentials for defending against DDoS attacks]

The increasing sensitivity of information and the growing importance of application functionality "require that we give as much thought to identity proofing as subsequent access control," Taule says.

Data Supply Chain Threats

Data supply chain breaches are an emerging threat, says Timothy Ryan, managing director of Kroll Advisory Solutions' Cyber Investigations practice and former supervisory special agent with the Federal Bureau of Investigation.

"What we've seen this past year is that many companies are not fully aware of all the different parties that are handling or processing their data," Ryan says. "Some companies have outsourced some portion of data processing to a subcontractor, only to find out that the vendor did not have adequate security measures in place, or that they did not know how to handle an incident, or that the company did not notify them right away when there was an issue."

In multi-tenant environments, system administrators can sometimes cut corners, says Wendy Nather, research director, security at 451 Research.

"They may use the same privileged account passwords for each of their tenants, and they may insist on broad network access that an enterprise wouldn't normally allow to anyone else on the Internet," Nather says. "In this way, the third party becomes a jumping-off point for an attacker who wants to get to a particular enterprise."

Unauthorized Access by Former Employees

Unauthorized network access, especially by former employees, continues to be a security issue for many companies, Ryan says.

"What we're finding is that some companies do not fully sever all the access that former employees were provided," Ryan says. His firm is often called in prior to the termination of an employee to make sure the company effectively terminates access for that individual.

"There have also been incidents where we are called in to investigate an employee whose access was not terminated properly and help assess what has been stolen and how to remediate the issue," Ryan says.

[Cryptolocker lowers ransom demands as Bitcoin price surges]

The reason why these employees might be accessing this information varies, Ryan notes. At times, it could be to steal intellectual property--such as a source code--that the individual might be interested in selling or using personally. "Or they may be accessing a network to try and secure information about pending litigation," he says. "They may be the subject of a lawsuit and trying to gather information about their termination or related issues."

Embedded Systems Vulnerabilities

Many non-traditional devices are increasingly on networks these days, Taule says, including Internet-enabled cameras, digital video recorders, badge readers and other non-PC devices with an IP address.

"And for those of you who think the Internet of Things--or 'Internet of Vulnerabilities' as I recently heard a colleague quip--is still years off, just ask a peer who works in a hospital and has to deal with untold numbers of network enabled/connected medical devices," Taule says.

"We are fooling ourselves if we think we have our risk exposure well in hand simply by managing the threats to traditional network devices," Taule says. "We must expand our situation awareness capabilities to provide full coverage for everything connected to the network."

The Growth of Bitcoin

Bitcoin, the open source electronic money and payment network that uses cryptography to secure transactions, comes with its own set of security risks, says Ariel Silverstone, an independent consulting CISO.

Bitcoin is the harbinger of a more digital economy, Silverstone says, but it's vulnerabilities--from the hacking of hosting sites to pure crypto attacks--are just being discovered.

"The fact that multiple attacks on Bitcoin have been so successful, I suspect will lead to renewed attempts at attacking money- and transaction- transferring mechanisms," Silverstone says. "These, such as PayPal, Swift, and also business and bank-initiated environments, transfer trillions of dollars per day. Many of them rely on little security [and are] susceptible to attacks."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about ArielCSOFederal Bureau of InvestigationKrollPayPalPricewaterhouseCoopersSilverstone

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Violino

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place